Re: [Dnsmasq-discuss] many tap devices, provide dhcp and ipv6 slaac
2016-05-27 17:56 GMT+03:00 Neil Jerram: > Hi Vasiliy, > > I assume your TAP devices are _not_ bridged on the host? > > If so, you can use the same approach as we use for Calico networking in > OpenStack - > http://docs.openstack.org/developer/networking-calico/implementation-notes.html#dhcp > > You'll need: > > a dummy interface, with an address in the 85.143.220/24 CIDR > to populate the dnsmasq hosts file with the IP/MAC mappings for your VMs > to tell dnsmasq to listen on the dummy interface and all the TAPs, and treat > the TAPs as aliases of the dummy interface (using --bridge-interfaces). > > Hope that helps - happy to provide more detail if you need. > > Neil > > Thanks! Does i need on dummy interface address with corresponding netmask or i can use /32 address that acts like gateway for vm? I have some discussion on libvirt mailing list about plain ethernet devices and my next plans add ability to configure dnsmasq via libvirt for this networks. So in case of libvirt i have running dnsmasq on virtbr0 for example and on each vm start i need to reconfigure dnsmasq to add needed tap device to it? Why i can't use --interface=tap* ? DOes dnsmasq monitors network intnerfaces via netlink and automatic listen it when it added to the host? -- Vasiliy Tolstov, e-mail: v.tols...@yoctocloud.net ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] many tap devices, provide dhcp and ipv6 slaac
Hi Vasiliy, I assume your TAP devices are _not_ bridged on the host? If so, you can use the same approach as we use for Calico networking in OpenStack - http://docs.openstack.org/developer/networking-calico/implementation-notes.html#dhcp You'll need: - a dummy interface, with an address in the 85.143.220/24 CIDR - to populate the dnsmasq hosts file with the IP/MAC mappings for your VMs - to tell dnsmasq to listen on the dummy interface and all the TAPs, and treat the TAPs as aliases of the dummy interface (using --bridge-interfaces). Hope that helps - happy to provide more detail if you need. Neil On Fri, May 27, 2016 at 3:32 PM Vasiliy Tolstovwrote: > Hi. I have such setup: > > ip -4 a s tap37183 > 148: tap37183: mtu 1500 qdisc htb > state UNKNOWN group default qlen 500 > link/ether fe:54:00:00:58:9f brd ff:ff:ff:ff:ff:ff > inet 85.143.216.1/32 scope global tap37183 >valid_lft forever preferred_lft forever > inet 192.168.240.110 peer 85.143.220.84/32 scope global tap37183 >valid_lft forever preferred_lft forever > > 85.143.216.1/32 is gw address for vm > > 192.168.240.110 peer 85.143.220.84/32 scope global tap37183 > this is host address with vm address added as peer (/32) > > What i need to add to dnsmasq conf to serve for this vm for dhcp > request with mac 25:54:00:00:58:9f address 85.143.220.84 with netmask > /24? > > Thanks! > -- > Vasiliy Tolstov, > e-mail: v.tols...@yoctocloud.net > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] many tap devices, provide dhcp and ipv6 slaac
Hi. I have such setup: ip -4 a s tap37183 148: tap37183:mtu 1500 qdisc htb state UNKNOWN group default qlen 500 link/ether fe:54:00:00:58:9f brd ff:ff:ff:ff:ff:ff inet 85.143.216.1/32 scope global tap37183 valid_lft forever preferred_lft forever inet 192.168.240.110 peer 85.143.220.84/32 scope global tap37183 valid_lft forever preferred_lft forever 85.143.216.1/32 is gw address for vm 192.168.240.110 peer 85.143.220.84/32 scope global tap37183 this is host address with vm address added as peer (/32) What i need to add to dnsmasq conf to serve for this vm for dhcp request with mac 25:54:00:00:58:9f address 85.143.220.84 with netmask /24? Thanks! -- Vasiliy Tolstov, e-mail: v.tols...@yoctocloud.net ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Clarify/Improve DNSSEC related SIGHUP handling
Hi Simon, Please could you consider the attached patch. It solves a problem that using dnssec-timestamp also effectively enabled dnssec-no-timecheck. The result of which is that an unfortunately timed SIGHUP could accidentally enable dnssec timestamp checking. In combination with dnssec-check-unsigned that could prove 'challenging' :-) The patch matches the behaviour is as documented in the manpage. kind regards, Kevin >From f94c6d70aaaea0511ef3c7667093b4b54952804e Mon Sep 17 00:00:00 2001 From: Kevin Darbyshire-BryantDate: Fri, 27 May 2016 10:23:47 +0100 Subject: [PATCH] Improve dnssec SIGHUP behaviour Signed-off-by: Kevin Darbyshire-Bryant --- src/dnsmasq.c | 7 --- src/dnsmasq.h | 1 + src/dnssec.c | 5 +++-- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/src/dnsmasq.c b/src/dnsmasq.c index 045ec53..a47273f 100644 --- a/src/dnsmasq.c +++ b/src/dnsmasq.c @@ -750,7 +750,8 @@ int main (int argc, char **argv) my_syslog(LOG_INFO, _("DNSSEC validation enabled")); - if (option_bool(OPT_DNSSEC_TIME)) + daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME); + if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future) my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until first cache reload")); if (rc == 1) @@ -1226,10 +1227,10 @@ static void async_event(int pipe, time_t now) { case EVENT_RELOAD: #ifdef HAVE_DNSSEC - if (option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME)) + if (daemon->dnssec_no_time_check && option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME)) { my_syslog(LOG_INFO, _("now checking DNSSEC signature timestamps")); - reset_option_bool(OPT_DNSSEC_TIME); + daemon->dnssec_no_time_check = 0; } #endif /* fall through */ diff --git a/src/dnsmasq.h b/src/dnsmasq.h index 1896a64..be27ae0 100644 --- a/src/dnsmasq.h +++ b/src/dnsmasq.h @@ -992,6 +992,7 @@ extern struct daemon { #endif #ifdef HAVE_DNSSEC struct ds_config *ds; + int dnssec_no_time_check; int back_to_the_future; char *timestamp_file; #endif diff --git a/src/dnssec.c b/src/dnssec.c index 3c77c7d..64358fa 100644 --- a/src/dnssec.c +++ b/src/dnssec.c @@ -522,15 +522,16 @@ static int check_date_range(u32 date_start, u32 date_end) if (utime(daemon->timestamp_file, NULL) != 0) my_syslog(LOG_ERR, _("failed to update mtime on %s: %s"), daemon->timestamp_file, strerror(errno)); + my_syslog(LOG_INFO, _("system time considered valid, now checking DNSSEC signature timestamps.")); daemon->back_to_the_future = 1; - set_option_bool(OPT_DNSSEC_TIME); + daemon->dnssec_no_time_check = 0; queue_event(EVENT_RELOAD); /* purge cache */ } if (daemon->back_to_the_future == 0) return 1; } - else if (option_bool(OPT_DNSSEC_TIME)) + else if (daemon->dnssec_no_time_check) return 1; /* We must explicitly check against wanted values, because of SERIAL_UNDEF */ -- 1.9.1 ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss